[Samba] Sysvol issues after DC migration
Rowland penny
rpenny at samba.org
Tue Mar 16 10:09:00 UTC 2021
On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
> I've removed uidNumber from the Administrator user (it had 2500).
> Still getting the same "Access is denied" when trying to change
> things, and can't set the owner.
>
> The Administrator user also has the gidNumber 512, if that helps
> anything.
It sounds like someone has given everything a uidNumber or gidNumber,
try checking the following users for a uidNumber or gidNumber attribute:
administrator
guest
krbtgt
Remove any that you find. Do the same for these groups:
cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
domain admins
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain controllers
Then run 'net cache flush' on all Unix domain members.
If you still cannot use Administrator to change things on a Samba DC,
then check if idmap.ldb contains an object similar to this:
dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
Rowland
More information about the samba
mailing list